Getting started

How Active Directory security scanning works

Three simple steps to run PrivLens — your local Active Directory security scanner and AD assessment tool. Download, scan with built-in Active Directory checks and rules, then review the PDF report. No installation, no configuration, no cloud.

1

Download

Grab the single privlens.exe binary from the download page. Nothing to install, no dependencies, no account needed.

2

Run

Double-click it on any domain-joined Windows machine. PrivLens uses your current credentials and scans your domain read-only. No admin needed for most checks.

3

Review

It writes privlens-report.pdf to the same folder. Open it in any PDF reader, review the findings, and share with your team or stakeholders.

What happens when you run it

  • Discovers your domain automatically
  • Connects to a domain controller using your Windows login (no password prompt)
  • Runs 8 high-impact security checks against your Active Directory
  • Completes in under a minute for most environments
  • Writes a self-contained PDF report locally

What it does NOT do

  • Makes any changes to your directory — read-only only
  • Sends data anywhere — everything stays on your machine
  • Requires an account or signup
  • Calls home, checks for updates, or collects telemetry
  • Requires administrator rights (for most checks)

Command-line options (optional)

  • privlens.exe — runs a full scan, outputs to ./privlens-report.pdf
  • privlens.exe -out C:\path\report.pdf — saves report to a custom path
  • privlens.exe -domain corp.local — scans a specific domain (if multi-domain)

The report

The PDF report is ready to share with your client as-is. It shows:

  • Domain name and scan timestamp
  • Total checks run (coverage)
  • Issues found, grouped by severity (Critical / Warnings)
  • Each finding with a plain-English explanation and remediation step
  • A complete list of all checks that ran and their outcomes (passed / failed)

Requirements

  • Windows: Windows 10, Windows 11, Server 2012+
  • Domain-joined: The machine running PrivLens must be joined to the domain you're scanning
  • Read access: Works as a standard domain user. A few checks benefit from elevated rights, but the scan completes gracefully with reduced coverage if needed
  • Network: Must be able to reach a domain controller on port 636 (LDAPS) or 389 (LDAP)